Skip to main content
Open Source AI SOC Automation

Scale Your SOC Without Scaling Headcount

Open-source AI assistant that acts as Layer 0 in your SOC stack,
automating alert triage, investigation, and escalation on top of Wazuh.
Built for multi-tenant MSSP operations.

View on GitHub Join the Beta
Multi-Tenant
Built for MSSPs
Open Source
MIT Licensed
HITL
Human Control
Wazuh
Native Integration

Built by Atricore • 20+ years delivering IAM, IGA, and SOC solutions
Official Wazuh and Evolveum partner

Your SIEM detects everything.
Your team cannot investigate all.

As you add customers, alert volume increases. Headcount follows.
Margins tighten. Quality becomes inconsistent across shifts.

The constraint is not detection. It is investigation.

The Business Case

SOCTalk changes the economics of running a SOC

1:N
Analyst Scaling

One deployment serves unlimited customers without adding headcount

$0
Licensing Cost

MIT licensed. No per-alert, per-user, or per-tenant fees

Minutes
Triage Time

Automated investigation while analysts handle only real threats

24/7
Coverage

Continuous operation with no backlog or shift gaps

Traditional SOC vs. SOCTalk

Compare the operational model and total cost of ownership

Traditional SOC

  • Headcount scales 1:1 with customers
  • Analyst costs eat margin at scale
  • Manual triage creates backlogs
  • Quality varies by shift and fatigue
  • No audit trail for decisions

With SOCTalk

  • One deployment, unlimited customers
  • Zero licensing costs (MIT open source)
  • Automated triage, no backlog
  • Consistent logic, 24/7 operation
  • Complete audit trail with replay

Built to Reduce Risk, Not Create It

Every CISO concern addressed by design

Measurable KPIs

Track MTTT, MTTR, false positive rates, and analyst and LLM efficiency. Real-time dashboards show ROI and operational impact.

Zero visibility risk

Human in the Loop

AI recommends. Humans decide. Every escalation requires analyst approval before action.

Zero autonomous escalation risk

Audit Log & Compliance

Event sourcing captures every alert, enrichment, verdict, and human decision. Full replay capability for audits and incident review.

Zero compliance gap risk

Is This for You?

Building SOC-as-a-Service

You need multi-tenant automation that preserves margin as you scale. You want open-source foundations without vendor lock-in.

Expanding Wazuh Services

You run Wazuh across customers and want to add managed triage without scaling headcount proportionally.

In both cases, SOCTalk acts as Layer 0 in your operations stack. Wazuh detects. SOCTalk investigates, enriches, and triages. Your analysts handle only escalated threats, already contextualized and ready for response.

How It Works

Layer 0 automation that handles investigation between detection and response

DETECTION LAYER
Wazuh SIEM
LAYER 0: SOCTalk AI Investigation

Autonomous triage and enrichment

Poll & Correlate

Continuous monitoring of Wazuh alerts with event correlation

Enrich

Query Cortex, MISP, and threat intel for full context

Analyze

AI reasoning generates verdict and severity assessment

Multi-Tenant Isolated
Event Sourced Audit Trail
HUMAN IN THE LOOP
Analyst Review & Approval

Dashboard, Slack, or CLI - analyst approves before action

Auto-Close

Low severity, confirmed false positive

TheHive Case

High severity, escalated for response

Re-investigate

Ambiguous, needs more enrichment

Flexible Deployment

Deploy on your infrastructure or client infrastructure. MIT licensed with zero lock-in. Full control and customization.

Powered by LangGraph

AI workflow orchestration with two-tier LLM architecture. Fast router model for triage, reasoning model for complex analysis.

SOCTalk as Layer 0

The foundational automation layer between detection and human analysts

SOCTalk Architecture - Layer 0 in the SOC Stack
Wazuh logo

Wazuh

Detection & SIEM

LLM

Layer 0 Analyst
Cortex logo

Cortex

Observable Analysis
MISP logo

MISP

Threat Intel
TheHive logo

TheHive

Case Management

Investigation Workflow

1

Continuous Polling

Watches Wazuh for new alerts, correlates related events, prioritizes by severity

2

Parallel Enrichment

Queries Wazuh, Cortex analyzers, and MISP threat intel for complete context

3

AI Reasoning

Two-tier LLM architecture analyzes enriched data and generates triage verdict

4

Threshold Routing

High severity → human review. Low risk → auto-close. Ambiguous → more enrichment

5

Human Review

Analyst approves, rejects, or requests more info via dashboard, Slack, or CLI

6

Action Execution

Creates TheHive cases for escalations. Auto-closes confirmed false positives

Deployment Options

Your infrastructure. Your choice. Atricore supports both.

Self-Deployed

  • Deploy on your infrastructure or client's
  • MIT licensed, zero cost
  • Full control and customization
  • Docker Compose deployment
View deployment docs

Atricore-Implemented

  • Architecture design and planning
  • Full stack integration (Wazuh/Cortex/TheHive/MISP)
  • Multi-tenant configuration
  • Ongoing technical support
Contact for implementation

Beyond Alert Triage

When combined with Atricore's IAM and IGA implementations (including midPoint), you can correlate identity lifecycle events with security alerts.

Identity-Security Correlation

Detect threats tied to privilege changes, terminations, onboarding

Automated Compliance

Connect identity audit trails with security investigations

Full Context Response

SOC sees user roles, access history, governance policies

This integration is rare in the market. Atricore delivers IGA (midPoint) + SIEM (Wazuh) + AI automation (SOCTalk) as a cohesive, open-source architecture with no vendor lock-in.

Ready to Scale Your Business?

Join the beta program and be among the first MSSPs to automate alert triage with SOCTalk.

Apply for Beta Access